FTC Pushing to Hold Companies Liable for Third Parties’ Activities
Recent Federal Trade Commission (FTC) enforcement actions and public statements have shown a renewed focus on trying to hold companies – including technology platforms and other companies dealing with consumer data – accountable for the activities of third parties. In a range of circumstances, the FTC has sought to place the onus on companies to police the conduct of companies that use their platform or with which they do business. This has particular relevance for companies that handle large amounts of consumer data and/or provide platforms that allow for user-generated content. The current Commission has already demonstrated its heightened expectations of companies’ third-party monitoring obligations.
The FTC’s recent settlement with YouTube clearly demonstrated its commitment to shift compliance obligations to platforms. That settlement requires the service to modify its technology platform to allow greater monitoring of third parties’ COPPA compliance – beyond that required by law. The FTC’s COPPA Rule requires certain online operators to obtain parental consent and take other steps if their services are directed to children under the age of 13. The FTC order requires the platform to implement a system for third parties to designate whether their service is directed to children – as the Chairman and Commissioner Wilson describe it in their joint statement, “the first and only mandated requirement on a platform or third party to seek actual knowledge of whether content is child-directed.” That monitoring system is not required by COPPA, and indeed the Chairman’s statement pointedly notes that “this relief will change YouTube’s business model going forward.” Moreover, Commissioner Slaughter dissented from the settlement on the theory that the order should have imposed greater burdens on the platform to monitor third parties for COPPA compliance.
In other circumstances, the FTC has suggested that it will look “up the chain” at platforms to determine if they should be held liable for misconduct by others. For example, testifying at a September 25 hearing before the U.S. House Subcommittee on Financial Services and General Government, Commissioner Chopra suggested that in investigating fraud, the Commission should look at payment facilitators and companies providing the infrastructure for wrongdoing. This kind of scrutiny could be based on an “unfairness” theory, which requires showing that the practice caused or was likely to cause substantial injury to consumers that could not be reasonably avoided, and that was not outweighed by countervailing benefits to consumers or competition. One recent example of this theory is a recent complaint filing against Match Group, which includes an allegation that the company “exposed” consumers to a risk of fraud from scammers on the company’s dating website, which the Commission alleged to be unfair.
And outside of platforms, the FTC has scrutinized companies that obtain consumer data from third parties through allegedly unlawful means. In August, for example, the FTC settled a case with Career Education Corporation, an operator of for-profit schools, alleging that it was responsible for a significant number of unwanted telemarketing calls. Additionally, the FTC alleged that the company was responsible for deceiving consumers when its customer lead generators – who were vendors that it paid for customer referrals – allegedly made deceptive statements to consumers in the course of obtaining their information. The complaint alleged that it knew deceptive conduct was ongoing, but continued to accept consumer leads from the companies. In a recent article, the Director of the Bureau of Consumer Protection, Andrew Smith, stated his view that companies should adhere to higher standards when dealing with customer data they obtain from third parties – reasoning that could be extended outside this case-specific context. He highlighted due diligence obligations, contractual compliance standards, audit rights, monitoring, and even requirements that vendors monitor their subcontractors – “fourth parties” – for violations.
The current Commission continues to be aggressive on enforcement priorities, and the support for all of the legal theories above was unanimous. Companies should pay close attention to their interactions with third parties that may invite scrutiny from the FTC, and recognize that this Commission’s expectations are increasing.